Microsoft is exploring the use of Rust programming language as C, C ++ and other languages of the alternatives, in order to improve the security situation of the application.
Since 2004, the Microsoft Security Response Center (MSRC) have been reported for all of Microsoft's security vulnerabilities are classified. According to the data they provide, all Microsoft patches year, about 70 percent of fixes for security vulnerabilities memory.
▲ About 70% of Microsoft's annual security vulnerability remains a memory
Such a high percentage is because the majority of Windows and other Microsoft products mainly written in C and C ++, these two "insecure memory" (memory-unsafe) programming language allows developers to fine-grained control of memory address, and can be executed code. A memory management flaw developer code execution in the security error may lead to a series of memory, an attacker could exploit these errors invasive and dangerous consequences, such as remote code execution or elevation of privilege vulnerability.
So, exploring the use of memory safety such as Rust and the like (memory-safe) language is put on the agenda, or it will become an alternative way to create a more secure Microsoft applications.
Rust Mozilla was originally a research project for a more secure, more quickly rewrite the Firefox browser. Recently, Brave browser to replace the ad-blocking components originally written in C ++ with Rust version. 2019 StackOverflow developer survey show, Rust has been the fourth consecutive year the "most developers favorite programming language." Developers like it because it is simpler syntax and use applications written Rust bug less, so developers can focus on expanding their applications, rather than ongoing maintenance work.
Gavin Thomas MSRC security chief engineering manager suggested third-party developers also should study the memory security language, he cited a number of reasons, for example how developers take the time and effort to learn debugging memory-related security vulnerabilities in C ++ applications appear. But this is clearly inappropriate, "the core of the work of developers are not concerned about security, but do feature development", Thomas questioned, "Why do not outset memory security issues introduced to develop language?"
To this end, he urged: "If the industry really care about security, should focus on the tools developers, and should not be all safety equipment and outdated methods to get dumbfounded we first have to work hard to prevent the developer into a defect, rather than provide solutions. defects guidance and tools. "
MSRC official blog original: https://msrc-blog.microsoft.com/2019/07/16/a-proactive-approach-to-more-secure-code/